HOWTO SETUP SSH-PIPED FTP-BOUNCERS

 

Quite many people have asked me to explain how does one encrypt the control channel so local people cant sniff the passwords etc.

SSH-pipes are solution for this, and gftpd fully supports bouncers through ssh-pipes.

 

Here is a step-by-step instructions how to do it correctly:

SITEBOX 130.130.230.230
BNCBOX 123.123.42.42
Requirements: sshd installed on the systems (ie. OpenSSH) and gftpd's ftp bouncer

Gftpd knows that string localhost is 127.0.0.1, as when ssh-pipe comes out it seems that connection is coming from localhost ie. you must enter 'localhost' as bounce_host.

SITEBOX:~ # grep bounce /etc/gftpd.sysconfig
bounce_host 130.130.230.230
# 0 = secure bounce disabled (bouncer also need to have securebounce:0)
# 1 = secure bounce enabled (bouncer needs to have securebounce:1)
# 2 = secure bounce enabled with showing /.ftp-data/refusebouncepage
securebounce 1

Ssh-pipe _must_ be opened from the bncbox to the sitebox(make sure that
you dont have autologout variable active). And do _not_ use -g flag since it compromises the security.
Direction bncbox->sitebox is quite important since when using sitebox->bncbox -R2222:ip:4444 you compromise the security because -R (remote forwards) ports can be connected from other hosts and -L (local forwards) ports can only be accessed by localhost. Or if you use -R then you have to firewall the 2222 port from outside connections.

BNCBOX:~ # ssh -L2222:130.130.230.230:4444 130.130.230.230

BNCBOX:~ # cat bouncer.conf
sourceport:8888
destinationport:2222
destinationhost:127.0.0.1
securebounce:1

BNCBOX:~ # ./bouncer

To summarise, now BNCBOX listens for incoming connetions to port 8888 (so for users you give 123.123.42.42:8888 as the login info), when connection comes it forwards it to localhost (BNCBOX) port 2222. And that one is going encrypted with the ssh-pipe to the destination (SITEBOX) host, and comes out to port 4444 (which is the port that gftpd is listening). With securebounce 1 the bouncer first asks the daemon whether or not the ident@host is allowed, and if it is allowed, then it gives the login prompt back to the user, otherwise it doesnt answer anything.

Have fun with the increased security. Any questions: jonni@gftpd.org pgp pub key